[stunnel-users] Confusion regarding part of stunnel.conf

Dave dave at momentumweb.com
Thu Feb 10 01:13:30 CET 2011


I've set up a test of stunnel with the latest stunnel and latest 
openssl, and if I set "verify=0" or "verify=1" I can get it to work (I'm 
tunneling a pop3 session), but if I set it any higher (to 2 or 3) it 
won't work for me.

Now, I'm not sure which level is "necessary" because in stunnel.conf I read:
-------------------------
; authentication stuff needs to be configured to prevent MITM attacks
; it is not enabled by default!
;verify = 2
-------------------------
... which sounds like verify defaults to 0.  But is a verify level of 1 
enough to solve the man-in-the-middle problem?  It seems like it would 
not be (since level 1 will allow absence of a certificate), but I am not 
sure.  I guess my questions boil down to:

1) What are the necessary settings for "authentication stuff" to prevent 
the MITM attack vector mentioned in stunnel.conf?
2) What is the proper way to set up (self-signed) certs to prevent such 
an attack?  Can a self-signed cert be used at a verify level of 2 or 3?

Dave




More information about the stunnel-users mailing list